Visa cards ‘frighteningly easy’ to hack

Details can be easily taken from Visa credit and debit cards, university study claims.

Fraudsters could work out security details of Visa debit and credit cards in just six seconds by using a relatively simple trick, a university has warned.

A so-called Distributed Guesswork Attack would allow scammers to thwart security features put in place to prevent online fraud, giving them access to card numbers, expiry dates and security codes, according to Newcastle University.

Its believed a similar technique was used in the recent Tesco Bank hack, where almost 10,000 customers had money stolen from their accounts.

However, a Visa spokesperson has questioned the research, claiming it doesn’t take into account the “multiple layers of fraud prevention” within its payments system.

“Frighteningly easy” for attackers

While a website will block you if you enter details incorrectly a number of times, the current online payment system does not detect multiple invalid payment requests on different sites, explains Mohammed Ali, a PhD student and lead author of the university’s report.

“This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.

"Also, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time."

“Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds – just like any online payment.”

What Visa says

A Visa spokesperson said the research “does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world".

They added: "Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally."

The company also pointed out that it had its own security system, Verified by Visa, to further protect customers. What’s more, anyone who’s card was accessed fraudulently would be fully reimbursed, it added.

In the recent Tesco Bank hack, all affected customers were refunded within a matter of days.